Description

This attack aims to access files and directories that are stored outside web root folder. By browsing the application, one should look for absolute links to files stored on the web server and how this is done. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations it’s possible to access arbitrary files and directories stored on file system, including application source code, configuration and critical system files, limited by system operational access control.
The idea is to use “../” sequences to move up to root directory, thus permitting to navigate thru file system.

This attack can be execute with a external malicious code injected on the path, the way of the Resource Injection attack, but it’s a Path Traversal attack

This attack is also named of “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.

To perform this attack it’s not necessary to use a specific tool, but it’s recommended to use a spider/crawler to detect all URLs available.